2022/07/07
Starting from 00:00(GMT+8) of October 7, 2023, Elastic Compute Service (ECS) Deployment Set supports Resource Access Management (RAM) authentication for access to API operations, allowing granular access control over resources and operations.
Before the change, all RAM users can access deployment sets and call API operations that involve deployment sets. After the change, RAM users who are not granted permissions on deployment sets cannot access deployment sets or call the API operations that involve deployment sets.
The RAM authentication feature for Deployment Set is in canary release. Some users may not be impacted on October 7, 2023. To prevent business interruptions caused by authentication failures, check that the RAM users that you want to use to access deployment sets are granted permissions on deployment sets.
Involved API operations:
CreateDeploymentSet
ModifyDeploymentSetAttribute
DeleteDeploymentSet
DescribeDeploymentSets
After the change, the RAM users that you want to use to manage deployment sets must have the following permissions:
ecs:CreateDeploymentSet
ecs:DeleteDeploymentSet
ecs:ModifyDeploymentSetAttribute
ecs:DescribeDeploymentSets
Examples of least-privilege authorization:
CreateDeploymentSet authorization
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:CreateDeploymentSet",
"Resource": "acs:ecs:*:*:deploymentset/*"
}
]
}
DeleteDeploymentSet authorization
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:DeleteDeploymentSet",
"Resource": "acs:ecs:*:*:deploymentset/*"
}
]
}
ModifyDeploymentSetAttribute authorization
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:ModifyDeploymentSetAttribute",
"Resource": "acs:ecs:*:*:deploymentset/*"
}
]
}
DescribeDeploymentSets authorization
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:DescribeDeploymentSets",
"Resource": "acs:ecs:*:*:deploymentset/*"
}
]
}
Before the change, all RAM users can access deployment sets and call API operations that involve deployment sets. After the change, RAM users who are not granted permissions on deployment sets cannot access deployment sets or call the API operations that involve deployment sets.
The RAM authentication feature for Deployment Set is in canary release. Some users may not be impacted on October 7, 2023. To prevent business interruptions caused by authentication failures, check that the RAM users that you want to use to access deployment sets are granted permissions on deployment sets.
Involved API operations:
CreateDeploymentSet
ModifyDeploymentSetAttribute
DeleteDeploymentSet
DescribeDeploymentSets
After the change, the RAM users that you want to use to manage deployment sets must have the following permissions:
ecs:CreateDeploymentSet
ecs:DeleteDeploymentSet
ecs:ModifyDeploymentSetAttribute
ecs:DescribeDeploymentSets
Examples of least-privilege authorization:
CreateDeploymentSet authorization
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:CreateDeploymentSet",
"Resource": "acs:ecs:*:*:deploymentset/*"
}
]
}
DeleteDeploymentSet authorization
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:DeleteDeploymentSet",
"Resource": "acs:ecs:*:*:deploymentset/*"
}
]
}
ModifyDeploymentSetAttribute authorization
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:ModifyDeploymentSetAttribute",
"Resource": "acs:ecs:*:*:deploymentset/*"
}
]
}
DescribeDeploymentSets authorization
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:DescribeDeploymentSets",
"Resource": "acs:ecs:*:*:deploymentset/*"
}
]
}
